ipsec_certmake man page on DigitalUNIX

Printed from http://www.polarhome.com/service/man/?qf=ipsec_certmake&af=0&tf=2&of=DigitalUNIX

ipsec_certmake(8)					     ipsec_certmake(8)

NAME
       ipsec_certmake  - Creates X.509 certificates, requests, and Certificate
       Revocation Lists (CRLs)

SYNOPSIS
       /usr/sbin/ipsec_certmake [-h] file [file...]

OPTIONS
       Displays a usage message and exits.

DESCRIPTION
       The ipsec_certmake command enables you to create the  following:	 X.509
       V3  public  key certificates and hierarchies of public key certificates
       Certificate  revocation	lists  (CRLs)	PKCS10-formatted   certificate
       requests

       This  command  and  other related certificate commands provided in this
       IPsec implementation are intended for testing purposes only.  They  are
       not  intended  to provide a complete public-key certificate infrastruc‐
       ture.

       The ipsec_certmake command reads each definition input file and creates
       the specified certificate, CRL, and certificate request files.

       Blank lines are ignored.	 Everything after the percent character (%) on
       a line is treated as a comment.

       The encoding of private key and output files is specified by  preceding
       the  path name with a formatting character, delimited by colons as fol‐
       lows: Privacy-Encoded-Mail (PEM) format

	      The file is encoded as a Base64-encoded  binary.	 Binary	 (DER-
	      encoded) format

	      The  file is encoded in accordance with the Distinguished Encod‐
	      ing Rules (DER) of ASN.1.	 HEXL format

	      The file is encoded as a hexadecimal string. Each line  has  the
	      following form:

	      xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy

	      In  this form, xxxxxxxx is the hexadecimal offset of the data at
	      the beginning of the line and yyyy yyyy yyyy yyyy yyyy yyyy yyyy
	      yyyy is up to 16 bytes of hexadecimal data.

   Certificate Requests
       The  input  to  generate a PKCS10-formatted certificate request has the
       following form.	The  output  is	 a  file  containing  the  certificate
       request that includes the new public key and a file containing the cor‐
       responding private key.

       % ----------------------------------------------- % Request to generate
       a certificate % CertificateRequest ::= {
	 OutputFile   ::= ":p:myhost-rsa-request.pem"

	 SubjectName  ::= <C=US, O=Compaq Computer Corporation, CN=myhost>

	 PublicKeyInfo ::= {
	   Size ::= 2048
	   Type ::= rsaEncryption
	   PrivateKeyFile ::= ":p:myhost-rsa-private.pem"
	 }
	 Signature ::= {
	   SignatureAlgorithm ::= sha1WithRSAEncryption
	 }

	 %
	 % Extensions
	 %
	 Extensions ::= {
	   SubjectAltNames ::= {
			       IP ::= 10.1.2.3
	   }
	   KeyUsage ::= {
	     DigitalSignature
	     KeyEncipherment
	    }
	 } }

       A  description  of  the	fields	in the preceding form is as follows: A
       standard, X.509 distinguished name.  Fill in  your  own	Country	 (C=),
       Organization   (O=),  and Common Name  (CN=).  Based on the size of the
       Certification Authority's (CA's) signing key.  Either rsaEncryption for
       an  RSA	certificate  or	 dsaEncryption	for a DSA certificate.	Either
       sha1WithRSAEncryption or md5WithRSAEncryption for an  RSA  certificate,
       or  dsaWithSHA-1	 for a DSA certificate.	 Multiple values with the fol‐
       lowing formats: IP ::= IP address  (either  IPv4	 or  IPv6).   DNS  ::=
       fully.qualified.domain.name  EMAIL ::= user@fully.qualified.domain.name
       Any or all of the following values: DigitalSignature,  KeyEncipherment,
       DataEncipherment,   KeyCertSign,	  CRLSign,  EncipherOnly,  ServerAuth,
       ClientAuth, and IkeIntermediate.

   Certificates
       The input to generate an X.509 certificate has the following form.  The
       output is a file containing the X.509 certificate that includes the new
       public key and a file containing the corresponding private key.

					Note

       To generate a certificate, you must have already generated a Certifica‐
       tion Authority (CA) certificate and have its private (issuer) key.

       Certificate ::= {
	 OutputFile   ::= ":b:myhost-rsa.bin"

	 SerialNumber ::= 1
	 SubjectName  ::= <C=US,O=Compaq Computer Corporation, CN=myhost>
	 IssuerName   ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
	 Validity     ::= {
	   NotBefore  ::= "1999/07/30/19:30:00"
	   NotAfter   ::= "2003/12/01/12:00:00"
	 }
	 PublicKeyInfo ::= {
	   Size ::= 1024
	   Type ::= rsaEncryption
	   PrivateKeyFile ::= ":b:myhost-rsa-private.bin"
	 }
	 Signature ::= {
	   SignatureAlgorithm ::= sha1WithRSAEncryption
	   IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
	 }
	 Extensions ::= {
	   SubjectAltNames ::= {
	     IP ::= 10.0.2.4
	     IP ::= 10.0.3.4
	   }
	   ExtendedKeyUsage ::= {
	     IkeIntermediate
	   }
	   KeyUsage ::= {
	     DigitalSignature
	     KeyEncipherment
	   }
	 } }

       A  description  of  the	fields	in the preceding form is as follows: A
       standard, X.509 distinguished name.  Fill in  your  own	Country	 (C=),
       Organization   (O=), and Common Name  (CN=).  Must match the X.509 name
       in the CA certificate.  Specifies a range of dates  between  which  the
       certificate  is	considered  valid.   Must specify the file name of the
       CA's private key file.  Same as	the  information  in  the  certificate
       request.	 Same as the information in the certificate request.

       For  a  root  CA	 certificate, you must set additional attributes.  The
       input to create a CA certificate has the following form:

       % % Root CA certificate for a test RSA hierarchy % Certificate ::= {
	 OutputFile   ::= ":p:test-rsa-root.pem"

	 SerialNumber ::= 2124
	 SubjectName  ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
	 IssuerName   ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
	 Validity     ::= {
	   NotBefore  ::= "2000/01/01/19:30:00"	 % "2000 Jan 1st, 19:30:00"
	   NotAfter   ::= "2001/01/01/12:00:00"	 % "2001 Jan 1st,  12:00:00"
	 }
	 PublicKeyInfo ::= {
	   Size ::= 1024
	   Type ::= rsaEncryption
	   PrivateKeyFile ::= ":p:test-rsa-root-private.pem"
	 }
	 Signature ::= {
	   SelfSigned
	   SignatureAlgorithm ::= sha1WithRSAEncryption
	 }

	 Extensions ::= {
	   BasicConstraints ::= {
	     CA
	     PathLength ::= 0
	   }
	   KeyUsage ::= {
	     DigitalSignature
	     KeyCertSign
	   }
	 } }

       A description of the fields in the preceding form is as	follows:  Same
       as  IssuerName.	Same as SubjectName.  Indicates that this is a root CA
       certificate.  Indicates that this is a root CA certificate.

   Certificate Revocation Lists
       The input to generate a Certificate Revocation List (CRL) has the  fol‐
       lowing  form.  The output is a file containing an X.509 V2 CRL revoking
       the specified certificates.

					Note

       To generate a CRL, you must have already generated a CA certificate and
       have its private (issuer) key.

       % % Revoke two of our certificates % CRL ::= {
	 OutputFile ::= ":p:test-rsa-crl.pem"

	 ThisUpdate ::= "2000/10/19/12:00:00"
	 IssuerName ::= <C=US, O=Compaq Computer Corporation, CN=My Test CA>

	 RevokedCertificates ::= [
	   {
	     SerialNumber ::= 1
	     RevocationDate ::= "2000/10/19/08:00:00"
	   }
	   {
	     SerialNumber ::= 105
	     RevocationDate ::= "2000/09/30/08:00:00"
	   }
	 ]

	 Signature ::= {
	   SignatureAlgorithm ::= sha1WithRSAEncryption
	   IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
	 } }

       A description of the fields in the preceding form is as follows: Speci‐
       fies the date and time when the CRL was issued.	Must match the Issuer‐
       Name in the CA certificate for the certificates being revoked. Certifi‐
       cates are revoked by specifying their serial number and the  revocation
       date.   A list of revoked certificates, delimited by square brackets ([
       ]).  Must specify the file name of the private key for the CA  certifi‐
       cate of the certificates being revoked.

SEE ALSO
       Commands:  ipsec_certview(8),  ipsec_convert(8), ipsec_keypaircheck(8),
       ipsec_keytool(8)

							     ipsec_certmake(8)
[top]

List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net